- During Tuesday’s three-hour House Veterans Affairs Oversight and Investigations Subcommittee hearing, the inspector general offered a preview of why it believes the Department of Veterans Affairs (VA) Health Administration security has been deficient.
Linda Halliday, VA assistant inspector general for audits and evaluations, according to databreachtoday.com, provided insight into the four key security areas in which the VA has struggled with during her test. Those items included configuration management controls, access controls, security management and contingency planning.
Access controls – There were a number of problems for the VA here, including no multi-system passwords being enforced, no multi-factor authentication for remote users and infrequent user access audits.
Security management – The VA’s security documentation was apparently outdated and was not in lined with required federal standards. Databreachtoday.com said that background re-investigations were not performed timely or tracked effectively and personnel had not received the proper level of investigation for the sensitivity levels of their positions.
Contingency planning controls – It doesn’t seem as though keeping disaster recovery (DR) plans up to date has been a huge priority for the VA to this point and backup tapes remained unencrypted prior to being sent to offsite storage at selected facilities and data centers.
Configuration management controls – Systems were not patched in a timely way or securely configured to mitigate information security vulnerabilities. Baseline configurations were not consistently implemented to mitigate significant system security risks and vulnerabilities across the facilities. Change control procedures for authorizing, testing and approval of system changes were inconsistently implemented.
As previously reported, the VA’s 4,000 vulnerabilities represent a steep decline from the 15,000 that the IG identified two years ago. But this is still clearly an issue that needs to resolved given that the VA is the largest integrated health system in the U.S.